Merge pull request #247 from skalenetwork/enhancement/SKALE-3636-SGX-Server-anti-DOS-protections

Enhancement/skale 3636 sgx server anti dos protections

Merge pull request #247 from skalenetwork/enhancement/SKALE-3636-SGX-Server-anti-DOS-protections
Enhancement/skale 3636 sgx server anti dos protections
2d36b9a5 · Stan Kladko · GitHub · dcbec9b5 · eca53241 · 2d36b9a5
Unverified Commit 2d36b9a5 authored Dec 04, 2020 by Stan Kladko Committed by GitHub Dec 04, 2020
Show whitespace changes
Inline Side-by-side

Showing with 85 additions and 8 deletions

Log.h Log.h +10 -0

SGXWalletServer.cpp SGXWalletServer.cpp +63 -8

SGXWalletServer.hpp SGXWalletServer.hpp +11 -0

common.h common.h +1 -0

No files found.
--- a/Log.h
+++ b/Log.h
@@ -74,6 +74,16 @@ public:
    static void handleSGXException(Json::Value &_result, SGXException &_e);
 };

+
+#define COUNT_STATISTICS \
+static uint64_t __COUNT__ = 0; \
+__COUNT__++; \
+if (__COUNT__ % 1000 == 0) { \
+spdlog::info(string(__FUNCTION__) +  " processed " + to_string(__COUNT__) + " requests"); \
+}
+
+
+
 #define INIT_RESULT(__RESULT__)     Json::Value __RESULT__; \
              int errStatus = UNKNOWN_ERROR; boost::ignore_unused(errStatus); string errMsg(BUF_LEN, '\0');__RESULT__["status"] = UNKNOWN_ERROR; __RESULT__["errorMessage"] = \
 "Server error. Please see server log.";

--- a/SGXWalletServer.cpp
+++ b/SGXWalletServer.cpp
@@ -58,6 +58,7 @@ std::shared_timed_mutex sgxInitMutex;
 uint64_t initTime;

 void setFullOptions(uint64_t _logLevel, int _useHTTPS, int _autoconfirm, int _enterBackupKey) {
+    COUNT_STATISTICS
    spdlog::info("Entering {}", __FUNCTION__);

    CHECK_STATE(_logLevel <= 2)
@@ -79,6 +80,7 @@ void setFullOptions(uint64_t _logLevel, int _useHTTPS, int _autoconfirm, int _en
 }

 void setOptions(uint64_t _logLevel, int _useHTTPS, int _autoconfirm) {
+    COUNT_STATISTICS
    spdlog::info("Entering {}", __FUNCTION__);
    setFullOptions(_logLevel, _useHTTPS, _autoconfirm, false);
 }
@@ -120,6 +122,7 @@ void SGXWalletServer::printDB() {


 int SGXWalletServer::initHttpsServer(bool _checkCerts) {
+    COUNT_STATISTICS
    spdlog::info("Entering {}", __FUNCTION__);

    spdlog::info("Initing server, number of threads: {}", NUM_THREADS);
@@ -174,6 +177,7 @@ int SGXWalletServer::initHttpsServer(bool _checkCerts) {
 }

 int SGXWalletServer::initHttpServer() { //without ssl
+    COUNT_STATISTICS
    spdlog::info("Entering {}", __FUNCTION__);
    httpServer = make_shared<HttpServer>(BASE_PORT + 3, "", "", "", false,
                                         NUM_THREADS);
@@ -188,6 +192,7 @@ int SGXWalletServer::initHttpServer() { //without ssl

 Json::Value
 SGXWalletServer::importBLSKeyShareImpl(const string &_keyShare, const string &_keyShareName) {
+    COUNT_STATISTICS
    spdlog::info("Entering {}", __FUNCTION__);
    INIT_RESULT(result);

@@ -227,9 +232,32 @@ SGXWalletServer::importBLSKeyShareImpl(const string &_keyShare, const string &_k
    RETURN_SUCCESS(result);
 }

+
+map <string, string> SGXWalletServer::blsRequests;
+recursive_mutex SGXWalletServer::blsRequestsLock;
+
+map <string, string> SGXWalletServer::ecdsaRequests;
+recursive_mutex SGXWalletServer::ecdsaRequestsLock;
+
+void SGXWalletServer::checkForDuplicate(map <string, string> &_map, recursive_mutex &_m,
+                                        const string &_key,
+                       const string &_value) {
+
+    LOCK(_m);
+    if (_map.count(_key) && _map.at(_key) == _value) {
+        usleep(100 * 1000);
+        spdlog::warn(string("Received an identical request from the client:") + __FUNCTION__);
+    }
+    _map[_key] =  _value;
+}
+
+
 Json::Value
 SGXWalletServer::blsSignMessageHashImpl(const string &_keyShareName, const string &_messageHash, int t, int n) {
    spdlog::trace("Entering {}", __FUNCTION__);
+
+    COUNT_STATISTICS
+
    INIT_RESULT(result)

    result["status"] = -1;
@@ -240,6 +268,10 @@ SGXWalletServer::blsSignMessageHashImpl(const string &_keyShareName, const strin

    shared_ptr <string> value = nullptr;

+
+    checkForDuplicate(blsRequests, blsRequestsLock, _keyShareName, _messageHash);
+
+
    try {
        if (!checkName(_keyShareName, "BLS_KEY")) {
            throw SGXException(INVALID_POLY_NAME, "Invalid BLSKey name");
@@ -277,6 +309,7 @@ SGXWalletServer::blsSignMessageHashImpl(const string &_keyShareName, const strin

 Json::Value SGXWalletServer::importECDSAKeyImpl(const string &_keyShare,
                                                const string &_keyShareName) {
+    COUNT_STATISTICS
    spdlog::info("Entering {}", __FUNCTION__);
    INIT_RESULT(result)
    result["encryptedKey"] = "";
@@ -307,6 +340,7 @@ Json::Value SGXWalletServer::importECDSAKeyImpl(const string &_keyShare,
 }

 Json::Value SGXWalletServer::generateECDSAKeyImpl() {
+    COUNT_STATISTICS
    spdlog::info("Entering {}", __FUNCTION__);
    INIT_RESULT(result)
    result["encryptedKey"] = "";
@@ -334,6 +368,7 @@ Json::Value SGXWalletServer::generateECDSAKeyImpl() {
 }

 Json::Value SGXWalletServer::ecdsaSignMessageHashImpl(int _base, const string &_keyName, const string &_messageHash) {
+    COUNT_STATISTICS
    spdlog::trace("Entering {}", __FUNCTION__);
    INIT_RESULT(result)

@@ -343,6 +378,9 @@ Json::Value SGXWalletServer::ecdsaSignMessageHashImpl(int _base, const string &_

    vector <string> signatureVector(3);

+    checkForDuplicate(ecdsaRequests, ecdsaRequestsLock, _keyName, _messageHash);
+
+
    try {
        string hashTmp = _messageHash;
        if (hashTmp[0] == '0' && (hashTmp[1] == 'x' || hashTmp[1] == 'X')) {
@@ -378,6 +416,7 @@ Json::Value SGXWalletServer::ecdsaSignMessageHashImpl(int _base, const string &_
 }

 Json::Value SGXWalletServer::getPublicECDSAKeyImpl(const string &_keyName) {
+    COUNT_STATISTICS
    spdlog::debug("Entering {}", __FUNCTION__);
    INIT_RESULT(result)

@@ -400,6 +439,7 @@ Json::Value SGXWalletServer::getPublicECDSAKeyImpl(const string &_keyName) {
 }

 Json::Value SGXWalletServer::generateDKGPolyImpl(const string &_polyName, int _t) {
+    COUNT_STATISTICS
    spdlog::info("Entering {}", __FUNCTION__);
    INIT_RESULT(result)

@@ -421,6 +461,7 @@ Json::Value SGXWalletServer::generateDKGPolyImpl(const string &_polyName, int _t
 }

 Json::Value SGXWalletServer::getVerificationVectorImpl(const string &_polyName, int _t, int _n) {
+    COUNT_STATISTICS
    spdlog::info("Entering {}", __FUNCTION__);
    INIT_RESULT(result)

@@ -450,6 +491,7 @@ Json::Value SGXWalletServer::getVerificationVectorImpl(const string &_polyName,
 }

 Json::Value SGXWalletServer::getSecretShareImpl(const string &_polyName, const Json::Value &_pubKeys, int _t, int _n) {
+    COUNT_STATISTICS
    spdlog::info("Entering {}", __FUNCTION__);
    INIT_RESULT(result);
    result["secretShare"] = "";
@@ -491,6 +533,7 @@ Json::Value SGXWalletServer::getSecretShareImpl(const string &_polyName, const J

 Json::Value SGXWalletServer::dkgVerificationImpl(const string &_publicShares, const string &_ethKeyName,
                                                 const string &_secretShare, int _t, int _n, int _index) {
+    COUNT_STATISTICS
    spdlog::info("Entering {}", __FUNCTION__);
    INIT_RESULT(result)
    result["result"] = false;
@@ -522,6 +565,7 @@ Json::Value SGXWalletServer::dkgVerificationImpl(const string &_publicShares, co
 Json::Value
 SGXWalletServer::createBLSPrivateKeyImpl(const string &_blsKeyName, const string &_ethKeyName, const string &_polyName,
                                         const string &_secretShare, int _t, int _n) {
+    COUNT_STATISTICS
    spdlog::info("Entering {}", __FUNCTION__);
    INIT_RESULT(result)

@@ -573,6 +617,7 @@ SGXWalletServer::createBLSPrivateKeyImpl(const string &_blsKeyName, const string
 }

 Json::Value SGXWalletServer::getBLSPublicKeyShareImpl(const string &_blsKeyName) {
+    COUNT_STATISTICS
    spdlog::info("Entering {}", __FUNCTION__);
    INIT_RESULT(result)

@@ -592,6 +637,7 @@ Json::Value SGXWalletServer::getBLSPublicKeyShareImpl(const string &_blsKeyName)
 }

 Json::Value SGXWalletServer::calculateAllBLSPublicKeysImpl(const Json::Value &publicShares, int t, int n) {
+    COUNT_STATISTICS
    spdlog::info("Entering {}", __FUNCTION__);
    INIT_RESULT(result)

@@ -638,6 +684,7 @@ Json::Value SGXWalletServer::calculateAllBLSPublicKeysImpl(const Json::Value &pu
 }

 Json::Value SGXWalletServer::complaintResponseImpl(const string &_polyName, int _t, int _n, int _ind) {
+    COUNT_STATISTICS
    spdlog::info("Entering {}", __FUNCTION__);
    INIT_RESULT(result)

@@ -681,6 +728,7 @@ Json::Value SGXWalletServer::complaintResponseImpl(const string &_polyName, int
 }

 Json::Value SGXWalletServer::multG2Impl(const string &_x) {
+    COUNT_STATISTICS
    INIT_RESULT(result)

    try {
@@ -694,6 +742,7 @@ Json::Value SGXWalletServer::multG2Impl(const string &_x) {
 }

 Json::Value SGXWalletServer::isPolyExistsImpl(const string &_polyName) {
+    COUNT_STATISTICS
    spdlog::info("Entering {}", __FUNCTION__);
    INIT_RESULT(result)

@@ -711,17 +760,20 @@ Json::Value SGXWalletServer::isPolyExistsImpl(const string &_polyName) {
 }

 Json::Value SGXWalletServer::getServerStatusImpl() {
+    COUNT_STATISTICS
    INIT_RESULT(result)
    RETURN_SUCCESS(result)
 }

 Json::Value SGXWalletServer::getServerVersionImpl() {
+    COUNT_STATISTICS
    INIT_RESULT(result)
    result["version"] = TOSTRING(SGXWALLET_VERSION);
    RETURN_SUCCESS(result)
 }

 Json::Value SGXWalletServer::deleteBlsKeyImpl(const string &name) {
+    COUNT_STATISTICS
    spdlog::info("Entering {}", __FUNCTION__);
    INIT_RESULT(result)

@@ -744,7 +796,9 @@ Json::Value SGXWalletServer::deleteBlsKeyImpl(const string &name) {
    RETURN_SUCCESS(result)
 }

-Json::Value SGXWalletServer::getSecretShareV2Impl(const string &_polyName, const Json::Value &_pubKeys, int _t, int _n) {
+Json::Value
+SGXWalletServer::getSecretShareV2Impl(const string &_polyName, const Json::Value &_pubKeys, int _t, int _n) {
+    COUNT_STATISTICS
    spdlog::info("Entering {}", __FUNCTION__);
    INIT_RESULT(result);
    result["secretShare"] = "";
@@ -786,6 +840,7 @@ Json::Value SGXWalletServer::getSecretShareV2Impl(const string &_polyName, const

 Json::Value SGXWalletServer::dkgVerificationV2Impl(const string &_publicShares, const string &_ethKeyName,
                                                   const string &_secretShare, int _t, int _n, int _index) {
+    COUNT_STATISTICS
    spdlog::info("Entering {}", __FUNCTION__);
    INIT_RESULT(result)
    result["result"] = false;

--- a/SGXWalletServer.hpp
+++ b/SGXWalletServer.hpp
@@ -38,6 +38,17 @@ using namespace std;
 class SGXWalletServer : public AbstractStubServer {
    static shared_ptr<SGXWalletServer> server;
    static shared_ptr<HttpServer> httpServer;
+
+    static map<string,string> blsRequests;
+    static recursive_mutex blsRequestsLock;
+    static map<string,string> ecdsaRequests;
+    static recursive_mutex ecdsaRequestsLock;
+
+
+
+    static void checkForDuplicate(map <string, string> &_map, recursive_mutex &_m, const string &_key,
+    const string &_value);
+
 public:
    static const char* getVersion() {
        return TOSTRING(SGXWALLET_VERSION);

--- a/common.h
+++ b/common.h
@@ -107,6 +107,7 @@ extern uint64_t initTime;
 #define ENCLAVE_RESTART_PERIOD_S 60 * 10
 #endif

+#define LOCK(__X__) std::lock_guard<std::recursive_mutex> __LOCK__(__X__);
 #define READ_LOCK(__X__) std::shared_lock<std::shared_timed_mutex> __LOCK__(__X__);
 #define WRITE_LOCK(__X__) std::unique_lock<std::shared_timed_mutex> __LOCK__(__X__);